How to Port Forward Service Ports with NAT: Astaro Security Gateway

  • Article ID: 115145
  • Rating:
  • 18 customers rated this article 4.0 out of 6
  • Updated: 31 May 2012

Require servers or systems behind the ASG to be accessible to internet connections. This requires specific services to be forwarded through by opening service ports.

Common implentations used are Webservers (HTTP, HTTPS) FTP servers, Remote Desktop Proctocol (RDP), Outlook Web Access (OWA)

4 common scenarios to setup:

Scenario 1 - Common port on public interface

Scenario 2 - New service port creation needed to forward

Scenario 3 - Additional public address

Scenario 4 - Additional public address and new service port


Known to apply to the following Sophos product(s) and version(s)
Astaro Security Gateway 


Operating systems
Astaro Security Gateway V7/V8


What To Do

Steps: 

For all scenarios it is recommended to first spend some time creating host definitions for webservers, email servers, ftp servers etc.

Example: Webserver host definition
Goto Webadmin » Definitions & Users » Network Definitions
New Network Definition
Name: Webserver
Type: Host
Address: 10.200.200.10
Comment: My internal webserver IP

* Note that for all scenarios it is also possible to simply select the option for auto packet filter rules to be applied if you do not wish to create the rule seperately in the packetfilter.
 

Scenario 1 - Common port on public interface

Example: Webserver on HTTP TCP port 80

1) Create a DNAT rule

Goto Webadmin » Network Security » NAT
Select DNAT/SNAT tab
New NAT rule
Name: Webserver
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTP
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Webserver
Destination Service: left blank

Click Save

Once created click traffic light  from Red to Green

2) Create Packet filter access

Goto Webadmin » Network Security » Firewall

Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTP
Destination: Webserver
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow http traffic to webserver

Click Save

Once created click traffic light  from Red to Green


Scenario 2 - New service port creation needed to forward

Example: Remote Desktop Protocol (RDP) on TCP port 10040 public to Exchange Server on TCP port 3389

Normally Microsoft RDP uses predefined service of TCP 3389 however it can be changed to a different port for access to multiple servers behind the ASG

1) Create a new service definition
Goto Webadmin » Definitions & Users » Service Definitions
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

2) Create a DNAT rule
Goto Webadmin » Network Security » NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: External (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)

Click Save

Once created click traffic light  from Red to Green

3) Create Packet filter access
Goto Webadmin » Network Security » Firewall
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server

Click Save

Once created click traffic light  from Red to Green


Scenario 3 - Additional public address 

Example: Outlook Web Access TCP port 443 (HTTPS) on second address translated to Exchange server

1) Create Additional public address
Goto Webadmin » Interfaces & Routing » Interfaces » Additional Addresses
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address

Click Save


2) Create a DNAT rule
Goto Webadmin » Network Security » NAT
Select DNAT/SNAT tab
New NAT rule
Name: OWA Access
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: HTTPS
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service:  left blank

Click Save

Once created click traffic light to Green

3) Create Packet filter access
Goto Webadmin » Network Security » Firewall
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: HTTPS
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow OWA HTTPS traffic to Exchange Server

Click Save

Once created click traffic light to Green


Scenario 4 - Additional public address and new service port 

Example: Remote Desktop Protocol (RDP) on TCP port 10040 on second public address to Exchange server on Microsoft Remote Desktop Protocol (RDP) TCP port 3389

1) Create Additional public address
Goto Webadmin » Interfaces & Routing » Interfaces » Additional Addresses
Select Additional Addresses
New Additional Address
Name: Exchange_Public
On interface: External
Address: 150.0.0.1
Netmask: /32 (255.255.255.255)
Comment: Exchange Public address

Click Save


2) Create a new service definition
Goto Webadmin » Definitions & Users » Service Definitions
New Service Definition
Name: RDP_10040
Type of Definition: TCP
Destination port: 10040
Source port: 1024:65535
Comment: RDP on port 10040

3) Create a DNAT rule
Goto Webadmin » Network Security » NAT
Select DNAT/SNAT tab
New NAT rule
Name: RDP_10040 to Exchange Server
Group: No group
Position: Bottom
Traffic Source: Any
Traffic Service: RDP_10040
Traffic Destination: Exchange_Public (address)
NAT Mode: DNAT (destination)
Destination: Exchange_Server
Destination Service: Microsoft Remote Desktop (RDP)

Click Save

Once created click traffic light  from Red to Green

4) Create Packet filter access
Goto Webadmin » Network Security » Firewall
Select Rules tab
New Rule
Group: no group
Position: Bottom
Source: Any
Service: Microsoft Remote Desktop (RDP)
Destination: Exchange_Server
Action: Allow
Time Event: Always
Log traffic: off
Comment: Allow RDP traffic to Server

Click Save

Once created click traffic light  from Red to Green

 
If you need more information or guidance, then please contact technical support.

Rate this article

Very poor Excellent

Comments